From: Patrick Donnelly <pdonnell@ibm.com>
Date: Wed, 26 Mar 2025 02:05:09 +0000 (-0400)
Subject: tools/ceph_authtool: allow configuring a preferred cipher
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=0ce81ffc4ee393e6ea82f00fbb1a8af24f4ee0f2;p=ceph-ci.git

tools/ceph_authtool: allow configuring a preferred cipher

This makes testing easier as we can configure all keys in the cluster to be the
given "old" type without modifying each location that ceph-authtool is used.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>
---

diff --git a/src/common/options/global.yaml.in b/src/common/options/global.yaml.in
index 9309a8fe031..aa031a6a2ff 100644
--- a/src/common/options/global.yaml.in
+++ b/src/common/options/global.yaml.in
@@ -2264,6 +2264,13 @@ options:
   fmt_desc: If the Ceph version supports message signing, Ceph will sign
    all messages so they are more difficult to spoof.
   with_legacy: true
+- name: cephx_preferred_cipher
+  type: str
+  level: dev
+  desc: preferred cipher to use for new authentication keys
+  default: recommended
+  flags:
+  - runtime
 - name: cephx_allowed_ciphers
   type: str
   level: advanced
diff --git a/src/tools/ceph_authtool.cc b/src/tools/ceph_authtool.cc
index 6fe749eb979..3d8f7aa38ae 100644
--- a/src/tools/ceph_authtool.cc
+++ b/src/tools/ceph_authtool.cc
@@ -67,7 +67,7 @@ int main(int argc, const char **argv)
   map<string,bufferlist> caps;
   std::string fn;
 
-  int key_type = CryptoManager::get_key_type("recommended");
+  int key_type = -1;
 
   if (args.empty()) {
     cerr << argv[0] << ": -h or --help for usage" << std::endl;
@@ -176,6 +176,12 @@ int main(int argc, const char **argv)
   common_init_finish(g_ceph_context);
   EntityName ename(g_conf()->name);
 
+  if (key_type < 0) {
+    auto cephx_preferred_cipher = g_conf().get_val<std::string>("cephx_preferred_cipher");
+    cerr << "using key type: " << cephx_preferred_cipher << std::endl;
+    key_type = CryptoManager::get_key_type(cephx_preferred_cipher);
+  }
+
   // Enforce the use of gen-key or add-key when creating to avoid ending up
   // with an "empty" key (key = AAAAAAAAAAAAAAAA)
   if (create_keyring && !gen_key && add_key.empty() && !caps.empty()) {